DoDI 8500.2 Solution Brief DoDI 8500.2 EventTracker | 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized intelligence that will fundamentally change your perception of the utility, value and organizational potential inherent in log files. EventTracker’s leading solutions offer Security Information and Event Management (SIEM), real-time Log Management, and powerful Change and Configuration Management to optimize IT operations, detect and deter costly security breaches, and comply with multiple regulatory mandates. With this, it ensures successful protective monitoring and complies with the DoDI (Department of Defense Institute) requirements. DoDI 8500.2 Compliance The Department of Defense has a crucial responsibility to protect and defend its information and supporting information technology. DoDI calls for information assurance requirements to be identified and included in the design, acquisition, installation, operation, upgrade and replacement of all DoD information systems. EventTracker believes that it is crucial to monitor for compliance in a manner as close to real-time as possible. EventTracker Offers Full View of Entire IT Infrastructure EventTracker improves security, maintains compliance and increases operational efficiency. EventTracker can be deployed On-Premises for customers who prefer their equipment to reside in their data center. EventTracker is a software-based SIEM and log management solution that resides in a Windows Server environment. EventTracker may also be deployed in a virtual environment using VMware. In both cases, On-Premises installation implies that the EventTracker software resides at the customer’s location in some form or fashion. For some customers, the space requirements, manpower issues, or lack of technical expertise make a cloud-hosted solution more attractive, and EventTracker is deployed in a Tier 1 EventTracker data center. EventTracker will manage the following: • Secure Virtual Private Cloud (single tenant) environment • Installation • Server disk space • Platform management • Antivirus installation and updates • Windows updates • Back-up/restore 2 DoDI 8500.2 EventTracker SIEM enables your organization to be aware of potential security risks and internal/ external threats that can be identified and eliminated before they are exploited. It guarantees your organization the ability to respond to a security incident and have the necessary data and tools for forensic analysis. The total time required to investigate and mitigate a security incident can be reduced by up to 75 percent, minimizing the potential exposure and costs. SIEMphonic is our professional services engagement to enhance the value of the EventTracker SIEM product. Our experienced staff assumes responsibility for all SIEM related tasks including daily incident reviews, daily/weekly log reviews, configuration assessments, incident investigation support and audit support. We augment your IT team, allowing you to focus on the unique requirements of your enterprise, while actively leveraging our expertise. Strong Access Control policy and procedures EventTracker SIEM enables automatic, unattended consolidation of millions of events in a secure environment along with incrementally scalable to meet the needs of any size organization. It also supports an infinite number of collection points, with each collection point able to process over 100,000 events per second. All this data is identified by the product based Knowledge Base, which contains detailed information on over 20,000 types of events, and automatically determines which logs are alerts, which are incidents, and which can be ignored. Log Collection includes a flexible, agent-optional architecture providing managed real-time and batch aggregation of all system, event and audit logs. EventTracker SIEM supports UDP and TCP (guaranteed delivery) log transport and is FIPS 140-2 compliant for transmission of events from agent/collection point to console. EventTracker SIEM provides customizable, role-based dashboards that allow organizations to control the information visible to a user based on their role in the organization. It also allows users to remove the information they do not want to see, and rearrange the location of the information on the dashboard. For example, a system administrator may only have access to the information on the ten servers they are responsible for maintaining, while the director of security will see the relevant information concerning the entire infrastructure. It is from this interface that all searches are performed, and detailed information on an event can be accessed. EventTracker SIEM is designed to make the user experience as easy and efficient as possible. EventTracker complies with OWASP guidelines which enforce the product to have a strong authentication and authorization mechanisms in order to restrict the user access. It incorporates default deny policy bringing more security to customers. It monitors changes on the file system and in the system registry of a Windows system and substantially improves corporate security and availability. EventTracker monitors all administrators and users activities for all critical file and folder access on all servers. It monitors successful and failed logon attempts to all servers either locally or remotely. Each EventTracker user has specific user credentials and permissions. With the authentication and authorization mechanism implemented by EventTracker, access privileges are controlled. DoDI 8500.2 3 Continuous Monitoring EventTracker successfully monitors the complete audit information that comprises of information related to audit records, audit settings and audit reports. EventTracker Enterprise offers the most comprehensive and flexible search options in the SIEM/Log Management industry. Whether users are responding in real-time to a threat or system issue or looking back in time to piece together a user’s activity spanning months, EventTracker Enterprise Search gets all users what they need quickly in a useable format. EventTracker Enterprise stores events in their original state and the complete contents are accessible to the user and its reporting allows users to easily report on all event data on either a scheduled or ad-hoc basis. Extract archive data from compressed storage, smart tokens allow you to immediately see interesting fields and patterns in the results. Our dedicated knowledge team is constantly adding log information from popular products to the token library and so can users. Smart tokens free users from having to frame precise queries, which is something advanced users can do. Empower business users and junior staff to extract meaningful data from data sets. The true challenge of big data is to quickly extract meaningful information – smart tokens are an exciting innovation to satisfy this need. EventTracker’s list management features are available to all users to manage internal and external feeds of threat intelligence. Lists, once created, can be updated automatically. Lists can be used to search through log data, thereby clearly seeing if global trends are impacting your network. Open Source feeds such as those provided by the Internet Storm Center Dshield block list, Team Cymru etc can also be integrated. List look-up APIs is available for use in remedial actions. This allows efficient creation and use of both black and white lists for processes, IP addresses, services and port numbers. EventTracker Enterprise also provides enhanced end-point monitoring and security, generating an event when USB/DVD/CD removable media is inserted including the username and device serial number; all file transfers to USB/DVD/CD devices are recorded including the time/date stamp; USB devices can be automatically disabled based on serial number. Security of Enterprise Devices EventTracker is a SIEM and Log Management solution that helps you secure your organization’s environment. EventTracker takes the baseline snapshot of customer’s IT infrastructure with which users can gather and document user activity, view group memberships, share permission levels and security settings over a timeframe to know your environment’s stable state. Then at any point of time EventTracker can take current snapshot informing users when the current setting differs from that recommended by a security standard, so IT can investigate. Ease of DODI 8500.2 Reporting and Alerting 4 DoDI 8500.2 EventTracker has developed specific reports, rules and dashboards to help meet the Security controls detailed within DODI. These reports, rules and dashboards can be easily and intuitively customized for specific environments. Vulnerability Assessment and Intrusion Detection Services EventTracker Vulnerability Assessment Service (ETVAS) is provided as an optional service to our EventTracker customers. The service detects and reports vulnerabilities present on IT assets including operating systems, applications, network devices etc in the target network. The report also includes possible mitigation steps. The service is provided on a periodic basis as per customer’s requirement (usually weekly/monthly/quarterly). Customers of this service provide a total number of assets to be scanned for vulnerabilities (e.g., 200) and the periodic schedule for scanning (e.g., weekly/monthly/quarterly). The EventTracker Vulnerability Assessment Service (ETVAS) has inbuilt Snort IDS which will help users to detect any attacks with the IDS/IPS and also to determine if any changes have been made to the environment that may be related to a given attack. Snort network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol networks. Snort performs protocol analysis, content searching, and content matching. These basic services have many purposes including application-aware triggered quality of service, to de-prioritize bulk traffic when latency-sensitive applications are in use. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. This ETVAS is tightly integrated with EventTracker to alert the customer and required reports will also be scheduled for the ease of our customer. DoDI 8500.2 5 Statement of Compliance: DoDI 8500.2 DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts ECAN-1 ECPA-1 PRAS-1 DCAR-1 IAAC-1 ACCESS CONTROL POLICY AND PROCEDURES EventTracker manages information system accounts, including: Active Directory: -> User added User deleted Change Audit: Authorized changes Cisco IOS: Accounting services Cisco NAC: -> Guest login failed User Activity Correlated events Failed interactive logins Files Deleted Group policy activity Idle Time Printer activity Software installed Software uninstalled Successful interactive logins Successful non-interactive logins Websites visited Security: -> Account Management Account privileges Account renames User account disabled User account enabled User account locked User added User added to group User deleted User removed from group Solaris BSM: -> Disable user User management Syslog: User process events Telemkt: -> User calling User login User logout User Logon Failure Report VMware ESX: -> Failed user login Successful user login User logout ArubaOS: DHCP client disabled • Identifying authorized users of the information system and specifying access privileges. • Establishing, activating, modifying, disabling, and removing accounts. • Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-toknow/need-to-share changes; BIG-IP LTM: -> User account deleted Serious Packet filtering disabled Cisco NAC: Guest login failed DigitalPersona Pro: -> Account locked out Shared account problem DNS update disabled EventTracker: -> USB device disabled Behavior rule deactivated Forefront Client: Scan disabled Forefront TMG: Malware inspection disabled Imperva DAM: SAP-Suspected activity in accounting documents tables McAfee EPO: OAS scanning engine disabled RSA SecurID: -> Account lockout Serious Agent disabled Token disabled Security: -> User account locked out User account disabled Sonicwall: Antispam service disabled USB Device Disabled Report DoDI 8500.2 6 DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts DCFA-1, ECAN-1, EBRU-1, PRNK-1, ECCD-1, ECSD-2 ACCESS ENFORCEMENT EventTracker manages Access control policies and access enforcement mechanisms to control access between users and objects in the information system. Consideration is given to the implementation of an audited, explicit override of automated mechanisms in the event of emergencies or other serious events. If encryption of stored information is employed as an access enforcement mechanism, the cryptography used is FIPS 140-2 (as amended) compliant. Check Point: Administrator login EventVault CAB integrity checksum failure Cisco Catalyst: -> Access control list Access control list error Cisco IOS: Access control list Cisco Switch: Access control list manager error DHCP: Database integrity EventTracker: -> Admin Activity CAB integrity verification FortiAnalyzer: User access profile changed LOGbinder: SharePoint access control change McAfee EPO: Enforce policy failed McAfee Sidewinder: -> Network access control allowed Network access control violation MSExchange: -> User accessed own mailbox Wireless Switch: -> Access control list Encryption key exchange Syslog: -> Authorization events Privilege authorization events EBBD-1, EBBD-2 INFORMATION FLOW ENFORCEMENT Too many to list, including reports on Window, UNIX, Linux, network devices including firewalls (CISCO PIX, Checkpoint) routers and switches, infrastructure applications like Citrix, IIS, databases and many more… CISCO PIX: IDS Intrusion detected Excessive -> Access failures in your enterprise Access failures on specific computer File deletes on a computer Access failure by user Logon failures due to bad password Logon failures in your enterprise Remote connections established Remote connections established on a local network port User Lockout ISA Server: -> Port Scan Detected Land Attack detected Out-of-bound attack Ping attack Spoof attack UDP attack Logon Failures Logon Failures from a specific computer Netscreen: -> IDS Intrusion detected Security device error DoDI 8500.2 7 EventTracker monitors unauthorized use of the information system. EventTracker monitors the information system both externally and internally. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system (e.g., within internal organizational networks and system components). Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring) EventTracker Capability EventTracker Reports Sample EventTracker Alerts ECLO-1 Logon EventTracker monitors unsuccessful login attempts may be implemented at both the operating system and the application levels. ArubaOS: Authentication failed Administrative logon failure Admin Interactive/Remote Interactive login failure ArrayOS SPX: Authentication failure ArubaOS: Authentication failed Astaro security gateways: Authentication failed Aventail: Authentication failed BIG-IP LTM: -> Authentication failed Root login failure Cisco ACS: Authentication failed Cisco ASA: Authentication failed Cisco NAC: -> Admin login failed Guest login failed Remote login failed User login failed Wireless user login failed Citrix NetScaler: Login failed CISCO PIX: Authentication failed CISCO VPN: Admin Access Authentication failure Cisco WLAN: -> Authentication failure User login failed Forefront TMG: Authentication failed Forefront UAG: User login failed FortiAnalyzer: User login failed Fortimail: User login failed McAfee IntruShield IPS: MSSQL User Login Failed MSExchange: Logon failure on mailbox database MySQL: Authentication failure Netscreen: Authentication failure Oracle: Logon failure Paloalto Firewall: -> Logon failure VPN logon failure Raritan: Authentication failure RSA SecurID: Authentication failed Sonicwall: -> Administrator login failed User login failed Authentication failed SOX - CISCO PIX: Authentication failure Syslog: User login failed Session setup authentication failed Astaro security gateways: Authentication failed Aventail: Authentication failed BIG-IP LTM: Authentication failed Check Point: Failed login Cisco ACS: Authentication failed Cisco Aironet: Authentication failed Cisco Catalyst: Authentication failed Cisco NAC: -> Admin login failed Guest login failed RADIUS authentication failed Remote login failed User login failed Wireless user login failed Cisco WLAN: User login failed Citrix NetScaler: Login failed Forefront TMG: Authentication failed Forefront UAG: User login failed FortiAnalyzer: User login failed Fortimail: User login failed Imperva DAM: Database failed login JUNOS: -> Authentication failed Login failed Oracle: Logon failed RSA SecurID: Authentication failed Solaris BSM: Failed local logon/ logoff Sonicwall: -> Administrator login failed Authentication failed User login failed Syslog: User login failed VMware ESX: Failed user login 8 DoDI 8500.2 DODI 8500.2 Requirements DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts ECAT-1 EventTracker monitors audit processing failures like software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Active Directory: -> Group Policy (all reports) User logons User logoffs ArrayOS SPX: Remote access traffic tunnel failure Checkpoint: Audit activities Cisco NAC: Remote login failed Forefront UAG: Remote user request denied Exchange ActiveSync: Policy compliance EventTracker: -> CAB integrity verification Collection master error Collection point error Disk Space low Eventlog full Initial User Network logon NetApp Data ONTAP: -> Delete Access Read Access Write Access Security: -> User logon User logoff Access Control (all reports) Solaris BSM: -> Domain Policy Changed ECAT-2 E3.3.9 SUPERVISION AND REVIEW – ACCESS CONTROL System Audit Log Cleared Critical Service Not Running Critical Service Not Started Event Log Full Event Log Cleared EventTracker agent service failed Collection Master Error Collection Point Error IIS Logging Shutdown MSExchange: Log disk full System Shutdown SQL Server: Transaction Log Full Admin Login Failure Admin Login Success Solaris BSM: SU failure Solaris BSM: SU success Solaris BSM: User Management Audit Policy changes SU failure SU success Privileged use Windows: -> Account logon Account logon failure DoDI 8500.2 9 DODI 8500.2 Requirements EventTracker Capability EventTracker Reports EBRP-1 EventTracker monitors unauthorized remote access to the information system. It authorizes remote access to the information system prior to connection and enforces requirements for remote connections to the information system. EventTracker: Initial User EBRU-1 REMOTE ACCESS Sample EventTracker Alerts Network logon *Security: -> User logon User logoff Policy Change Audit Policy change Solaris BSM: Remote access events Syslog: Remote/SSH system accessed VMware ESX: -> Remote console connected Remote console disconnected Windows: -> Account logon Account logon failure ECAT-1 ECTB-1 DCAR-1 ECTP-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES EventTracker successfully monitors the complete audit information that comprises of information about audit records, audit settings and audit reports Active Directory: -> Admin Login Failure Group Policy (all reports) Domain Policy Changed Deleted Share EventTracker CAB integrity checksum failed Share Folder deleted Changed Audit: Files Deleted Checkpoint: Audit activities File Resource Access -> Success: Delete Access Failure: Delete Access NetApp Data ONTAP: Delete Access *Security: -> Policy Change Audit Policy change Solaris BSM: Audit Policy changes DoDI 8500.2 10 DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts ECAR-1 EventTracker monitors and audits all types of events and captures all event information All audit events All DNS server events All error events All file replication events All IMAP4 interface events All information events All Syslog events All warning events All altiris deployment solution events All backup exec events All citrix events All crystal enterprise events All sharepoint server events Application: Dr.Watson events Astaro Security Gateways: All events Check Point: -> All Checkpoint management events All firewall events All identity awareness events All IPS events Cisco Aironet: All events Cisco ASA: All events Cisco Director: All events Cisco IOS: All events Cisco PIX: All events Cisco VPN: NTP subsystem and general events Citrix NetScaler: All events Cyberoam UTM: All events Dell OMSA: All events Device and media events DHCP: -> *All DHCP events DHCP critical events DoubleTake: All events EventTracker: -> All Events No events received in last 24 hour F-Secure: All events Forefront Client: All events Forefront TMG: All events Forefront UAG: All events FortiAnalyzer: Critical error events Fortigate: All events Fortimail: All events Hyper V: *All events EventTracker: No events received in last 24 hour ECAR-2 ECAR-3 ECLC-1 AUDITABLE EVENTS 11 Audit event records discarded Forefront TMG: Event Log Deletion Failure High DoDI 8500.2 (continued) FortiAnalyzer: Critical error events DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts (continued) (continued) 12 DoDI 8500.2 IIS: -> Admin critical events All events ISA server: All events Juniper SBR: -> All error events All events LOGbinder: -> Noise events SharePoint search events MSExchange: -> All events Critical events Error events NNTP interface events POP3 interface events MSFTP: -> *All FTP service events FTP service critical events FTP service error events MSSQLServer: -> All error events All events Netscreen: -> All events Security device events Oracle: -> All oracle events Other oracle events SEP: All events Security: -> All security events Audit events Logon failure events Snort: All events Solaris BSM: -> All command execution events All events Network events Remote access events Sonicwall: All events Sophos: All events Syslog: -> Authorization events Clock daemon events FTP daemon events Kernel events Line printer events Mail subsystem events Network news system events Privilege authorization events Syslogd events System daemon events User process events UUCP subsystem events DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts (continued) TCPIP: -> Critical events Error events VMware ESX: All events Windows Backup: All events Windows Firewall: All events WTS: All events DCCB-1 DCPR-1 E3.3.9 CONTINUOUS MONITORING EventTracker monitors any changes to the hardware, software, and/or firmware components of the information system that can potentially have significant effects on the overall security of the system. EventTracker’s list management features are available to all users to manage internal and external feeds of threat intelligence. Lists, once created, can be updated automatically. Lists can be used to search through log data, thereby clearly seeing if global trends are impacting your network. List look-up APIs is available for use in remedial actions. This allows efficient creation and use of both black and white lists for processes, IP addresses, services and port numbers. Changed Audit: (all reports) Agent not running Active Directory: -> Audit log cleared Changed objects Directory permission change OU change Eventlog full CISCO PIX: Priv level changed EventTracker cab integrity checksum failure EventTracker: Service changes File/resource Access Failure: -> Change property Change ownership File/resource Access Success: -> Change property Excessive -> Ping failures-system(s) are not reachable File deletes on a computer Access failures on a specific computer Access failures in your enterprise Change ownership *Security: -> Policy Change Audit Policy Change Solaris BSM: -> Audit policy changes Set, create, change passwords Syslog: Password changed DCPP-1 ECIM-1 ECVI-1 E3.3.8 Ports, Protocols, and Services EventTracker provides the essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organizationdefined list of prohibited or restricted functions, ports, protocols, and/or services]. ArrayOS SPX: IP Access restriction Change Audit: Unauthorized changes Change Audit: Unauthorized changes Imperva DAM: -> Forefront UAG: Restricted URL access denied MSExchange: Unauthorized mailbox access attempt MSSQLServer: Unauthorized access error EBS PCI-Unauthorized access to credit card no EBS PCI-Unauthorized access to credit cardholder HIPAA - Unauthorized data modification SAP PCI-Unauthorized access to credit cardholder SAP PCI-Unauthorized access to payment card no 13 DoDI 8500.2 HIPAA-Unauthorized data access DODI 8500.2 Requirements EventTracker Capability EventTracker Reports Sample EventTracker Alerts IAGA-1 EventTracker uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). ArrayOS SPX: Authentication success BIG-IP LTM: Authentication success IAIA-1 Individual and Group Authentication ArubaOS: Authentication successful RSA SecurID: Authentication success Astaro security gateways: Authentication success Aventail: Authentication success BIG-IP LTM: Authentication success Cisco ACS: Authentication success Cisco Aironet: Authentication success Cisco ASA: Authentication success Cisco PIX: Authentication success Cisco VPN: Authentication Forefront TMG: Authentication success Juniper SBR: Authentication request success JUNOS: -> Authentication success Ipsec authentication McAfee Sidewinder: Proxy/Server authentication MySQL: Authentication success Netscreen: -> System authentication User authentication RSA SecurID: -> Authentication PIN successfully changed Authentication principal locked Authentication principal resolution Authentication success Sonicwall: Authentication success Teradata: Authentication success WatchGuard: Authentication ECMT-1 VIVM-1 VULNERABILITY SCANNING DoDI 8500.2 14 EventTracker Vulnerability Assessment Service scans for vulnerabilities in the information system; hosted applications and new vulnerabilities potentially affecting the system/ applications are identified and reported.